cartography 0.93.0rc1__py3-none-any.whl → 0.94.0__py3-none-any.whl

cartography/cli.py

@@ -541,6 +541,28 @@ class CLI:
                 'Required if you are using the Semgrep intel module. Ignored otherwise.'
             ),
         )
+        parser.add_argument(
+            '--snipeit-base-uri',
+            type=str,
+            default=None,
+            help=(
+                'Your SnipeIT base URI'
+                'Required if you are using the SnipeIT intel module. Ignored otherwise.'
+            ),
+        )
+        parser.add_argument(
+            '--snipeit-token-env-var',
+            type=str,
+            default=None,
+            help='The name of an environment variable containing token with which to authenticate to SnipeIT.',
+        )
+        parser.add_argument(
+            '--snipeit-tenant-id',
+            type=str,
+            default=None,
+            help='An ID for the SnipeIT tenant.',
+        )
+
         return parser
 
     def main(self, argv: str) -> int:
@@ -744,6 +766,26 @@ class CLI:
         else:
             config.cve_api_key = None
 
+        # SnipeIT config
+        if config.snipeit_base_uri:
+            if config.snipeit_token_env_var:
+                logger.debug(
+                    "Reading SnipeIT API token from environment variable '%s'.",
+                    config.snipeit_token_env_var,
+                )
+                config.snipeit_token = os.environ.get(config.snipeit_token_env_var)
+            elif os.environ.get('SNIPEIT_TOKEN'):
+                logger.debug(
+                    "Reading SnipeIT API token from environment variable 'SNIPEIT_TOKEN'.",
+                )
+                config.snipeit_token = os.environ.get('SNIPEIT_TOKEN')
+            else:
+                logger.warning("A SnipeIT base URI was provided but a token was not.")
+                config.kandji_token = None
+        else:
+            logger.warning("A SnipeIT base URI was not provided.")
+            config.snipeit_base_uri = None
+
         # Run cartography
         try:
             return cartography.sync.run_with_config(self.sync, config)

cartography/config.py

@@ -111,6 +111,12 @@ class Config:
     :param duo_api_hostname: The Duo api hostname, e.g. "api-abc123.duosecurity.com". Optional.
     :param semgrep_app_token: The Semgrep api token. Optional.
     :type semgrep_app_token: str
+    :type snipeit_base_uri: string
+    :param snipeit_base_uri: SnipeIT data provider base URI. Optional.
+    :type snipeit_token: string
+    :param snipeit_token: Token used to authenticate to the SnipeIT data provider. Optional.
+    :type snipeit_tenant_id: string
+    :param snipeit_tenant_id: Token used to authenticate to the SnipeIT data provider. Optional.
     """
 
     def __init__(
@@ -170,6 +176,9 @@ class Config:
         duo_api_secret=None,
         duo_api_hostname=None,
         semgrep_app_token=None,
+        snipeit_base_uri=None,
+        snipeit_token=None,
+        snipeit_tenant_id=None,
     ):
         self.neo4j_uri = neo4j_uri
         self.neo4j_user = neo4j_user
@@ -226,3 +235,6 @@ class Config:
         self.duo_api_secret = duo_api_secret
         self.duo_api_hostname = duo_api_hostname
         self.semgrep_app_token = semgrep_app_token
+        self.snipeit_base_uri = snipeit_base_uri
+        self.snipeit_token = snipeit_token
+        self.snipeit_tenant_id = snipeit_tenant_id

cartography/data/jobs/scoped_analysis/semgrep_sca_risk_analysis.json

@@ -13,47 +13,47 @@
         },
         {
             "__comment__": "not possible to identify if reachable && version specifier is the only flag of the vulnerability (likelihood = rare) && severity in [low, medium, high] -> Risk = Info",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'UNKNOWN_EXPOSURE', reachability_check:'VERSION_SPECIFIER', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity IN ['LOW', 'MEDIUM', 'HIGH'] SET s.reachability_risk = 'INFO' return COUNT(*) as TotalCompleted",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'UNREACHABLE', reachability_check:'NO REACHABILITY ANALYSIS', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity IN ['LOW', 'MEDIUM', 'HIGH'] SET s.reachability_risk = 'INFO' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
             "__comment__": "not possible to identify if reachable && version specifier is the only flag of the vulnerability (likelihood = rare) && severity = critical -> Risk = Low",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'UNKNOWN_EXPOSURE', reachability_check:'VERSION_SPECIFIER', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'CRITICAL' SET s.reachability_risk = 'LOW' return COUNT(*) as TotalCompleted",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'UNREACHABLE', reachability_check:'NO REACHABILITY ANALYSIS', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'CRITICAL' SET s.reachability_risk = 'LOW' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
-            "__comment__": "manual review required to confirm && version specifier is the only flag of the vulnerability (likelihood = possible) && severity in [low, medium] -> Risk = Low",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'MANUAL_REVIEW_REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity IN ['LOW', 'MEDIUM'] SET s.reachability_risk = 'LOW' return COUNT(*) as TotalCompleted",
+            "__comment__": "manual review required to confirm exploitation when conditions met && identified version is vulnerable (likelihood = possible) && severity in [low, medium] -> Risk = Low",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'CONDITIONALLY REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity IN ['LOW', 'MEDIUM'] SET s.reachability_risk = 'LOW' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
-            "__comment__": "manual review required to confirm && version specifier is the only flag of the vulnerability (likelihood = possible) && severity = high -> Risk = Medium",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'MANUAL_REVIEW_REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'HIGH' SET s.reachability_risk = 'MEDIUM' return COUNT(*) as TotalCompleted",
+            "__comment__": "manual review required to confirm exploitation when conditions met && identified version is vulnerable (likelihood = possible) && severity = high -> Risk = Medium",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'CONDITIONALLY REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'HIGH' SET s.reachability_risk = 'MEDIUM' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
-            "__comment__": "manual review required to confirm && version specifier is the only flag of the vulnerability (likelihood = possible) &&  severity = critical -> Risk = High",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'MANUAL_REVIEW_REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'CRITICAL' SET s.reachability_risk = 'HIGH' return COUNT(*) as TotalCompleted",
+            "__comment__": "manual review required to confirm exploitation when conditions met && identified version is vulnerable (likelihood = possible) &&  severity = critical -> Risk = High",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'CONDITIONALLY REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'CRITICAL' SET s.reachability_risk = 'HIGH' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
             "__comment__": "adding the vulnerable version flags it reachable (likelihood = likely) && severity in [low, medium] -> Risk = Low",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'ALWAYS_REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity IN ['LOW','MEDIUM'] SET s.reachability_risk = 'LOW' return COUNT(*) as TotalCompleted",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'ALWAYS REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity IN ['LOW','MEDIUM'] SET s.reachability_risk = 'LOW' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
-            "__comment__": "adding the vulnerable version flags it reachable (likelihood = likely) && severity = high -> Risk = Low",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'ALWAYS_REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'HIGH' SET s.reachability_risk = 'MEDIUM' return COUNT(*) as TotalCompleted",
+            "__comment__": "adding the vulnerable version flags it reachable (likelihood = likely) && severity = high -> Risk = Medium",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'ALWAYS REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'HIGH' SET s.reachability_risk = 'MEDIUM' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
             "__comment__": "adding the vulnerable version flags it reachable (special case for critical, if something is so critical that needs to be fixed, likelihood = likely)) && severity = critical -> Risk = Critical",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'ALWAYS_REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'CRITICAL' SET s.reachability_risk = 'CRITICAL' return COUNT(*) as TotalCompleted",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'ALWAYS REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) WHERE s.severity = 'CRITICAL' SET s.reachability_risk = 'CRITICAL' return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {
             "__comment__": "if reachability analysis confirmed that is rechable (likelihood = certain) -> Risk = Severity",
-            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'REACHABILITY', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) SET s.reachability_risk = s.severity return COUNT(*) as TotalCompleted",
+            "query": "MATCH (g:GitHubRepository{archived:false})<-[:FOUND_IN]-(s:SemgrepSCAFinding{reachability:'REACHABLE', reachability_check:'REACHABLE', lastupdated:$UPDATE_TAG})<-[:RESOURCE]-(:SemgrepDeployment{id:$DEPLOYMENT_ID}) SET s.reachability_risk = s.severity return COUNT(*) as TotalCompleted",
             "iterative": false
         },
         {

cartography/graph/job.py

@@ -150,7 +150,14 @@ class GraphJob:
             )
 
         statements: List[GraphStatement] = [
-            GraphStatement(query, parameters=parameters, iterative=True, iterationsize=100) for query in queries
+            GraphStatement(
+                query,
+                parameters=parameters,
+                iterative=True,
+                iterationsize=100,
+                parent_job_name=node_schema.label,
+                parent_job_sequence_num=idx,
+            ) for idx, query in enumerate(queries, start=1)
         ]
 
         return cls(

cartography/intel/aws/ec2/launch_templates.py

@@ -3,6 +3,7 @@ from typing import Any
 
 import boto3
 import neo4j
+from botocore.exceptions import ClientError
 
 from .util import get_botocore_config
 from cartography.client.core.tx import load
@@ -17,13 +18,30 @@ logger = logging.getLogger(__name__)
 
 @timeit
 @aws_handle_regions
-def get_launch_templates(boto3_session: boto3.session.Session, region: str) -> list[dict[str, Any]]:
+def get_launch_templates(
+    boto3_session: boto3.session.Session,
+    region: str,
+) -> tuple[list[dict[str, Any]], list[dict[str, Any]]]:
     client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
     paginator = client.get_paginator('describe_launch_templates')
     templates: list[dict[str, Any]] = []
+    template_versions: list[dict[str, Any]] = []
     for page in paginator.paginate():
-        templates.extend(page['LaunchTemplates'])
-    return templates
+        paginated_templates = page['LaunchTemplates']
+        for template in paginated_templates:
+            template_id = template['LaunchTemplateId']
+            try:
+                versions = get_launch_template_versions_by_template(boto3_session, template_id, region)
+            except ClientError as e:
+                logger.warning(
+                    f"Failed to get launch template versions for {template_id}: {e}",
+                    exc_info=True,
+                )
+                versions = []
+            # Using a key not defined in latest boto3 documentation
+            template_versions.extend(versions)
+        templates.extend(paginated_templates)
+    return templates, template_versions
 
 
 def transform_launch_templates(templates: list[dict[str, Any]]) -> list[dict[str, Any]]:
@@ -55,17 +73,16 @@ def load_launch_templates(
 
 @timeit
 @aws_handle_regions
-def get_launch_template_versions(
+def get_launch_template_versions_by_template(
         boto3_session: boto3.session.Session,
-        templates: list[dict[str, Any]],
+        template: str,
         region: str,
 ) -> list[dict[str, Any]]:
     client = boto3_session.client('ec2', region_name=region, config=get_botocore_config())
     v_paginator = client.get_paginator('describe_launch_template_versions')
     template_versions = []
-    for template in templates:
-        for versions in v_paginator.paginate(LaunchTemplateId=template['LaunchTemplateId']):
-            template_versions.extend(versions['LaunchTemplateVersions'])
+    for versions in v_paginator.paginate(LaunchTemplateId=template):
+        template_versions.extend(versions['LaunchTemplateVersions'])
     return template_versions
 
 
@@ -136,11 +153,9 @@ def sync_ec2_launch_templates(
 ) -> None:
     for region in regions:
         logger.info(f"Syncing launch templates for region '{region}' in account '{current_aws_account_id}'.")
-        templates = get_launch_templates(boto3_session, region)
+        templates, versions = get_launch_templates(boto3_session, region)
         templates = transform_launch_templates(templates)
         load_launch_templates(neo4j_session, templates, region, current_aws_account_id, update_tag)
-
-        versions = get_launch_template_versions(boto3_session, templates, region)
         versions = transform_launch_template_versions(versions)
         load_launch_template_versions(neo4j_session, versions, region, current_aws_account_id, update_tag)
 

cartography/intel/aws/inspector.py

@@ -18,6 +18,15 @@ from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
 
+# As of 7/22/24, Inspector is only available in the below regions. We will need to update this hardcoded list here over
+# time. :\ https://docs.aws.amazon.com/general/latest/gr/inspector2.html
+AWS_INSPECTOR_REGIONS = {
+    "us-east-2", "us-east-1", "us-west-1", "us-west-2", "af-south-1", "ap-east-1", "ap-southeast-3", "ap-south-1",
+    "ap-northeast-3", "ap-northeast-2", "ap-southeast-1", "ap-southeast-2", "ap-northeast-1", "ca-central-1",
+    "eu-central-1", "eu-west-1", "eu-west-2", "eu-south-1", "eu-west-3", "eu-north-1", "eu-central-2", "me-south-1",
+    "sa-east-1",
+}
+
 
 @timeit
 @aws_handle_regions
@@ -206,7 +215,9 @@ def sync(
     update_tag: int,
     common_job_parameters: Dict[str, Any],
 ) -> None:
-    for region in regions:
+    inspector_regions = [region for region in regions if region in AWS_INSPECTOR_REGIONS]
+
+    for region in inspector_regions:
         logger.info(f"Syncing AWS Inspector findings for account {current_aws_account_id} and region {region}")
         findings = get_inspector_findings(boto3_session, region, current_aws_account_id)
         finding_data, package_data = transform_inspector_findings(findings)

cartography/intel/aws/permission_relationships.py

@@ -322,8 +322,12 @@ def cleanup_rpr(
     )
 
     statement = GraphStatement(
-        cleanup_rpr_query_template, {'UPDATE_TAG': update_tag, 'AWS_ID': current_aws_id},
-        True, 1000,
+        cleanup_rpr_query_template,
+        {'UPDATE_TAG': update_tag, 'AWS_ID': current_aws_id},
+        True,
+        1000,
+        parent_job_name=f"{relationship_name}:{node_label}",
+        parent_job_sequence_num=1,
     )
     statement.run(neo4j_session)
 

cartography/intel/github/teams.py

@@ -1,4 +1,6 @@
 import logging
+from collections import namedtuple
+from time import sleep
 from typing import Any
 from typing import Dict
 from typing import List
@@ -15,6 +17,8 @@ from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
 
+RepoPermission = namedtuple('RepoPermission', ['repo_url', 'permission'])
+
 
 @timeit
 def get_teams(org: str, api_url: str, token: str) -> Tuple[PaginatedGraphqlData, Dict[str, Any]]:
@@ -45,26 +49,53 @@ def get_teams(org: str, api_url: str, token: str) -> Tuple[PaginatedGraphqlData,
 
 @timeit
 def _get_team_repos_for_multiple_teams(
-        team_raw_data: List[Dict[str, Any]],
+        team_raw_data: list[dict[str, Any]],
         org: str,
         api_url: str,
         token: str,
-) -> Dict[str, Any]:
-    result = {}
+) -> dict[str, list[RepoPermission]]:
+    result: dict[str, list[RepoPermission]] = {}
     for team in team_raw_data:
         team_name = team['slug']
         repo_count = team['repositories']['totalCount']
 
-        team_repos = _get_team_repos(org, api_url, token, team_name) if repo_count > 0 else None
+        if repo_count == 0:
+            # This team has access to no repos so let's move on
+            result[team_name] = []
+            continue
 
         repo_urls = []
         repo_permissions = []
-        if team_repos:
-            repo_urls = [t['url'] for t in team_repos.nodes] if team_repos.nodes else []
-            repo_permissions = [t['permission'] for t in team_repos.edges] if team_repos.edges else []
+
+        max_tries = 5
+
+        for current_try in range(1, max_tries + 1):
+            team_repos = _get_team_repos(org, api_url, token, team_name)
+
+            try:
+                # The `or []` is because `.nodes` can be None. See:
+                # https://docs.github.com/en/graphql/reference/objects#teamrepositoryconnection
+                for repo in team_repos.nodes or []:
+                    repo_urls.append(repo['url'])
+
+                # The `or []` is because `.edges` can be None.
+                for edge in team_repos.edges or []:
+                    repo_permissions.append(edge['permission'])
+                # We're done! Break out of the retry loop.
+                break
+
+            except TypeError:
+                # Handles issue #1334
+                logger.warning(
+                    f"GitHub returned None when trying to find repo or permission data for team {team_name}.",
+                    exc_info=True,
+                )
+                if current_try == max_tries:
+                    raise RuntimeError(f"GitHub returned a None repo url for team {team_name}, retries exhausted.")
+                sleep(current_try ** 2)
 
         # Shape = [(repo_url, 'WRITE'), ...]]
-        result[team_name] = list(zip(repo_urls, repo_permissions))
+        result[team_name] = [RepoPermission(url, perm) for url, perm in zip(repo_urls, repo_permissions)]
     return result
 
 
@@ -114,8 +145,8 @@ def _get_team_repos(org: str, api_url: str, token: str, team: str) -> PaginatedG
 def transform_teams(
         team_paginated_data: PaginatedGraphqlData,
         org_data: Dict[str, Any],
-        team_repo_data: Dict[str, Any],
-) -> List[Dict[str, Any]]:
+        team_repo_data: dict[str, list[RepoPermission]],
+) -> list[dict[str, Any]]:
     result = []
     for team in team_paginated_data.nodes:
         team_name = team['slug']

cartography/intel/kandji/__init__.py

@@ -21,7 +21,7 @@ def start_kandji_ingestion(neo4j_session: neo4j.Session, config: Config) -> None
     """
     if config.kandji_base_uri is None or config.kandji_token is None or config.kandji_tenant_id is None:
         logger.warning(
-            'Required parameter(s) missing. Skipping sync.',
+            'Required parameter missing. Skipping sync. '
             'See docs to configure.',
         )
         return

cartography/intel/semgrep/findings.py

@@ -3,10 +3,11 @@ from typing import Any
 from typing import Dict
 from typing import List
 from typing import Tuple
-from urllib.error import HTTPError
 
 import neo4j
 import requests
+from requests.exceptions import HTTPError
+from requests.exceptions import ReadTimeout
 
 from cartography.client.core.tx import load
 from cartography.graph.job import GraphJob
@@ -20,6 +21,7 @@ from cartography.util import timeit
 
 logger = logging.getLogger(__name__)
 stat_handler = get_stats_client(__name__)
+_PAGE_SIZE = 500
 _TIMEOUT = (60, 60)
 _MAX_RETRIES = 3
 
@@ -48,60 +50,91 @@ def get_deployment(semgrep_app_token: str) -> Dict[str, Any]:
 
 
 @timeit
-def get_sca_vulns(semgrep_app_token: str, deployment_id: str) -> List[Dict[str, Any]]:
+def get_sca_vulns(semgrep_app_token: str, deployment_slug: str) -> List[Dict[str, Any]]:
     """
     Gets the SCA vulns associated with the passed Semgrep App token and deployment id.
     param: semgrep_app_token: The Semgrep App token to use for authentication.
-    param: deployment_id: The Semgrep deployment id to use for retrieving SCA vulns.
+    param: deployment_slug: The Semgrep deployment slug to use for retrieving SCA vulns.
     """
     all_vulns = []
-    sca_url = f"https://semgrep.dev/api/v1/deployments/{deployment_id}/ssc-vulns"
+    sca_url = f"https://semgrep.dev/api/v1/deployments/{deployment_slug}/findings"
     has_more = True
-    cursor: Dict[str, str] = {}
-    page = 1
+    page = 0
     retries = 0
     headers = {
         "Content-Type": "application/json",
         "Authorization": f"Bearer {semgrep_app_token}",
     }
 
-    request_data = {
-        "deploymentId": deployment_id,
-        "pageSize": 100,
-        "exposure": ["UNREACHABLE", "REACHABLE", "UNKNOWN_EXPOSURE"],
-        "refs": ["_default"],
+    request_data: dict[str, Any] = {
+        "page": page,
+        "page_size": _PAGE_SIZE,
+        "issue_type": "sca",
+        "exposures": "reachable,always_reachable,conditionally_reachable,unreachable,unknown",
+        "ref": "_default",
+        "dedup": "true",
     }
-
+    logger.info(f"Retrieving Semgrep SCA vulns for deployment '{deployment_slug}'.")
     while has_more:
 
-        if cursor:
-            request_data.update({
-                "cursor": {
-                    "vulnOffset": cursor["vulnOffset"],
-                    "issueOffset": cursor["issueOffset"],
-                },
-            })
         try:
-            response = requests.post(sca_url, json=request_data, headers=headers, timeout=_TIMEOUT)
+            response = requests.get(sca_url, params=request_data, headers=headers, timeout=_TIMEOUT)
             response.raise_for_status()
             data = response.json()
-        except HTTPError as e:
+        except (ReadTimeout, HTTPError) as e:
             logger.warning(f"Failed to retrieve Semgrep SCA vulns for page {page}. Retrying...")
             retries += 1
             if retries >= _MAX_RETRIES:
                 raise e
             continue
-        vulns = data["vulns"]
-        cursor = data.get("cursor")
-        has_more = data.get("hasMore", False)
+        vulns = data["findings"]
+        has_more = len(vulns) > 0
         if page % 10 == 0:
-            logger.info(f"Processed {page} pages of Semgrep SCA vulnerabilities so far.")
+            logger.info(f"Processed page {page} of Semgrep SCA vulnerabilities.")
         all_vulns.extend(vulns)
         retries = 0
+        page += 1
+        request_data["page"] = page
 
+    logger.info(f"Retrieved {len(all_vulns)} Semgrep SCA vulns in {page} pages.")
     return all_vulns
 
 
+def _get_vuln_class(vuln: Dict) -> str:
+    vulnerability_classes = vuln["rule"].get("vulnerability_classes", [])
+    if vulnerability_classes:
+        return vulnerability_classes[0]
+    return "Other"
+
+
+def _determine_exposure(vuln: Dict[str, Any]) -> str | None:
+    # See Semgrep reachability types:
+    # https://semgrep.dev/docs/semgrep-supply-chain/overview#types-of-semgrep-supply-chain-findings
+    reachability_types = {
+        "NO REACHABILITY ANALYSIS": 2,
+        "UNREACHABLE": 2,
+        "REACHABLE": 0,
+        "ALWAYS REACHABLE": 0,
+        "CONDITIONALLY REACHABLE": 1,
+    }
+    reachable_flag = vuln["reachability"]
+    if reachable_flag and reachable_flag.upper() in reachability_types:
+        reach_score = reachability_types[reachable_flag.upper()]
+        if reach_score < reachability_types["UNREACHABLE"]:
+            return "REACHABLE"
+        else:
+            return "UNREACHABLE"
+    return None
+
+
+def _build_vuln_url(vuln: str) -> str | None:
+    if 'CVE' in vuln:
+        return f"https://nvd.nist.gov/vuln/detail/{vuln}"
+    if 'GHSA' in vuln:
+        return f"https://github.com/advisories/{vuln}"
+    return None
+
+
 def transform_sca_vulns(raw_vulns: List[Dict[str, Any]]) -> Tuple[List[Dict[str, Any]], List[Dict[str, str]]]:
     """
     Transforms the raw SCA vulns response from Semgrep API into a list of dicts
@@ -112,46 +145,59 @@ def transform_sca_vulns(raw_vulns: List[Dict[str, Any]]) -> Tuple[List[Dict[str,
     for vuln in raw_vulns:
         sca_vuln: Dict[str, Any] = {}
         # Mandatory fields
-        sca_vuln["id"] = vuln["groupKey"]
-        sca_vuln["repositoryName"] = vuln["repositoryName"]
-        sca_vuln["ruleId"] = vuln["advisory"]["ruleId"]
-        sca_vuln["title"] = vuln["advisory"]["title"]
-        sca_vuln["description"] = vuln["advisory"]["description"]
-        sca_vuln["ecosystem"] = vuln["advisory"]["ecosystem"]
-        sca_vuln["severity"] = vuln["advisory"]["severity"]
-        sca_vuln["reachability"] = vuln["advisory"]["reachability"]
-        sca_vuln["reachableIf"] = vuln["advisory"]["reachableIf"]
-        sca_vuln["exposureType"] = vuln["exposureType"]
-        dependency = f"{vuln['matchedDependency']['name']}|{vuln['matchedDependency']['versionSpecifier']}"
+        repository_name = vuln["repository"]["name"]
+        rule_id = vuln["rule"]["name"]
+        vulnerability_class = _get_vuln_class(vuln)
+        package = vuln['found_dependency']['package']
+        sca_vuln["id"] = vuln["id"]
+        sca_vuln["repositoryName"] = repository_name
+        sca_vuln["branch"] = vuln["ref"]
+        sca_vuln["ruleId"] = rule_id
+        sca_vuln["title"] = package + ":" + vulnerability_class
+        sca_vuln["description"] = vuln["rule"]["message"]
+        sca_vuln["ecosystem"] = vuln["found_dependency"]["ecosystem"]
+        sca_vuln["severity"] = vuln["severity"].upper()
+        sca_vuln["reachability"] = vuln["reachability"].upper()  # Check done to determine rechabilitity
+        sca_vuln["reachableIf"] = vuln["reachable_condition"].upper() if vuln["reachable_condition"] else None
+        sca_vuln["exposureType"] = _determine_exposure(vuln)  # Determintes if reachable or unreachable
+        dependency = f"{package}|{vuln['found_dependency']['version']}"
         sca_vuln["matchedDependency"] = dependency
-        sca_vuln["dependencyFileLocation_path"] = vuln["dependencyFileLocation"]["path"]
-        sca_vuln["dependencyFileLocation_url"] = vuln["dependencyFileLocation"]["url"]
-        # Optional fields
-        sca_vuln["transitivity"] = vuln.get("transitivity", None)
-        cves = vuln.get("advisory", {}).get("references", {}).get("cveIds")
-        if len(cves) > 0:
-            # Take the first CVE
-            sca_vuln["cveId"] = vuln["advisory"]["references"]["cveIds"][0]
-        if vuln.get('closestSafeDependency'):
-            dep_fix = f"{vuln['closestSafeDependency']['name']}|{vuln['closestSafeDependency']['versionSpecifier']}"
+        dep_url = vuln["found_dependency"]["lockfile_line_url"]
+        if dep_url:  # Lock file can be null, need to set
+            dep_file = dep_url.split("/")[-1].split("#")[0]
+            sca_vuln["dependencyFileLocation_path"] = dep_file
+            sca_vuln["dependencyFileLocation_url"] = dep_url
+        else:
+            if sca_vuln.get("location"):
+                sca_vuln["dependencyFileLocation_path"] = sca_vuln["location"]["file_path"]
+        sca_vuln["transitivity"] = vuln["found_dependency"]["transitivity"].upper()
+        if vuln.get("vulnerability_identifier"):
+            vuln_id = vuln["vulnerability_identifier"].upper()
+            sca_vuln["cveId"] = vuln_id
+            sca_vuln["ref_urls"] = [_build_vuln_url(vuln_id)]
+        if vuln.get('fix_recommendations') and len(vuln['fix_recommendations']) > 0:
+            fix = vuln['fix_recommendations'][0]
+            dep_fix = f"{fix['package']}|{fix['version']}"
             sca_vuln["closestSafeDependency"] = dep_fix
-        if vuln["advisory"].get("references", {}).get("urls", []):
-            sca_vuln["ref_urls"] = vuln["advisory"].get("references", {}).get("urls", [])
-        sca_vuln["openedAt"] = vuln.get("openedAt", None)
-        sca_vuln["announcedAt"] = vuln.get("announcedAt", None)
-        sca_vuln["fixStatus"] = vuln["triage"]["status"]
-        for usage in vuln.get("usages", []):
+        sca_vuln["openedAt"] = vuln["created_at"]
+        sca_vuln["fixStatus"] = vuln["status"]
+        sca_vuln["triageStatus"] = vuln["triage_state"]
+        sca_vuln["confidence"] = vuln["confidence"]
+        usage = vuln.get("usage")
+        if usage:
             usage_dict = {}
+            url = usage["location"]["url"]
             usage_dict["SCA_ID"] = sca_vuln["id"]
-            usage_dict["findingId"] = usage["findingId"]
+            usage_dict["findingId"] = hash(url.split("github.com/")[-1])
             usage_dict["path"] = usage["location"]["path"]
-            usage_dict["startLine"] = usage["location"]["startLine"]
-            usage_dict["startCol"] = usage["location"]["startCol"]
-            usage_dict["endLine"] = usage["location"]["endLine"]
-            usage_dict["endCol"] = usage["location"]["endCol"]
-            usage_dict["url"] = usage["location"]["url"]
+            usage_dict["startLine"] = usage["location"]["start_line"]
+            usage_dict["startCol"] = usage["location"]["start_col"]
+            usage_dict["endLine"] = usage["location"]["end_line"]
+            usage_dict["endCol"] = usage["location"]["end_col"]
+            usage_dict["url"] = url
             usages.append(usage_dict)
         vulns.append(sca_vuln)
+
     return vulns, usages
 
 
@@ -228,9 +274,10 @@ def sync(
     logger.info("Running Semgrep SCA findings sync job.")
     semgrep_deployment = get_deployment(semgrep_app_token)
     deployment_id = semgrep_deployment["id"]
+    deployment_slug = semgrep_deployment["slug"]
     load_semgrep_deployment(neo4j_sesion, semgrep_deployment, update_tag)
     common_job_parameters["DEPLOYMENT_ID"] = deployment_id
-    raw_vulns = get_sca_vulns(semgrep_app_token, deployment_id)
+    raw_vulns = get_sca_vulns(semgrep_app_token, deployment_slug)
     vulns, usages = transform_sca_vulns(raw_vulns)
     load_semgrep_sca_vulns(neo4j_sesion, vulns, deployment_id, update_tag)
     load_semgrep_sca_usages(neo4j_sesion, usages, deployment_id, update_tag)

cartography/intel/snipeit/__init__.py

@@ -0,0 +1,30 @@
+import logging
+
+import neo4j
+
+from cartography.config import Config
+from cartography.intel.snipeit import asset
+from cartography.intel.snipeit import user
+from cartography.stats import get_stats_client
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+stat_handler = get_stats_client(__name__)
+
+
+@timeit
+def start_snipeit_ingestion(neo4j_session: neo4j.Session, config: Config) -> None:
+    if config.snipeit_base_uri is None or config.snipeit_token is None or config.snipeit_tenant_id is None:
+        logger.warning(
+            "Required parameter(s) missing. Skipping sync.",
+        )
+        return
+
+    common_job_parameters = {
+        "UPDATE_TAG": config.update_tag,
+        "TENANT_ID": config.snipeit_tenant_id,
+    }
+
+    # Ingest SnipeIT users and assets
+    user.sync(neo4j_session, common_job_parameters, config.snipeit_base_uri, config.snipeit_token)
+    asset.sync(neo4j_session, common_job_parameters, config.snipeit_base_uri, config.snipeit_token)

cartography/intel/snipeit/asset.py

@@ -0,0 +1,74 @@
+import logging
+from typing import Any
+from typing import Dict
+from typing import List
+
+import neo4j
+
+from .util import call_snipeit_api
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.snipeit.asset import SnipeitAssetSchema
+from cartography.models.snipeit.tenant import SnipeitTenantSchema
+from cartography.util import timeit
+
+
+logger = logging.getLogger(__name__)
+
+
+@timeit
+def get(base_uri: str, token: str) -> List[Dict]:
+    api_endpoint = "/api/v1/hardware"
+    results: List[Dict[str, Any]] = []
+    while True:
+        offset = len(results)
+        api_endpoint = f"{api_endpoint}?order='asc'&offset={offset}"
+        response = call_snipeit_api(api_endpoint, base_uri, token)
+        results.extend(response['rows'])
+
+        total = response['total']
+        results_count = len(results)
+        if results_count >= total:
+            break
+
+    return results
+
+
+@timeit
+def load_assets(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict,
+    data: List[Dict[str, Any]],
+) -> None:
+    # Create the SnipeIT Tenant
+    load(
+        neo4j_session,
+        SnipeitTenantSchema(),
+        [{'id': common_job_parameters["TENANT_ID"]}],
+        lastupdated=common_job_parameters["UPDATE_TAG"],
+    )
+
+    load(
+        neo4j_session,
+        SnipeitAssetSchema(),
+        data,
+        lastupdated=common_job_parameters["UPDATE_TAG"],
+        TENANT_ID=common_job_parameters["TENANT_ID"],
+    )
+
+
+@timeit
+def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
+    GraphJob.from_node_schema(SnipeitAssetSchema(), common_job_parameters).run(neo4j_session)
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict,
+    base_uri: str,
+    token: str,
+) -> None:
+    assets = get(base_uri=base_uri, token=token)
+    load_assets(neo4j_session=neo4j_session, common_job_parameters=common_job_parameters, data=assets)
+    cleanup(neo4j_session, common_job_parameters)

cartography/intel/snipeit/user.py

@@ -0,0 +1,75 @@
+import logging
+from typing import Any
+from typing import Dict
+from typing import List
+
+import neo4j
+
+from .util import call_snipeit_api
+from cartography.client.core.tx import load
+from cartography.graph.job import GraphJob
+from cartography.models.snipeit.tenant import SnipeitTenantSchema
+from cartography.models.snipeit.user import SnipeitUserSchema
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+
+
+@timeit
+def get(base_uri: str, token: str) -> List[Dict]:
+    api_endpoint = "/api/v1/users"
+    results: List[Dict[str, Any]] = []
+    while True:
+        offset = len(results)
+        api_endpoint = f"{api_endpoint}?order='asc'&offset={offset}"
+        response = call_snipeit_api(api_endpoint, base_uri, token)
+        results.extend(response['rows'])
+
+        total = response['total']
+        results_count = len(results)
+        if results_count >= total:
+            break
+
+    return results
+
+
+@timeit
+def load_users(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict,
+    data: List[Dict[str, Any]],
+) -> None:
+    logger.debug(data[0])
+
+    # Create the SnipeIT Tenant
+    load(
+        neo4j_session,
+        SnipeitTenantSchema(),
+        [{'id': common_job_parameters["TENANT_ID"]}],
+        lastupdated=common_job_parameters["UPDATE_TAG"],
+    )
+
+    load(
+        neo4j_session,
+        SnipeitUserSchema(),
+        data,
+        lastupdated=common_job_parameters["UPDATE_TAG"],
+        TENANT_ID=common_job_parameters["TENANT_ID"],
+    )
+
+
+@timeit
+def cleanup(neo4j_session: neo4j.Session, common_job_parameters: Dict) -> None:
+    GraphJob.from_node_schema(SnipeitUserSchema(), common_job_parameters).run(neo4j_session)
+
+
+@timeit
+def sync(
+    neo4j_session: neo4j.Session,
+    common_job_parameters: Dict,
+    base_uri: str,
+    token: str,
+) -> None:
+    users = get(base_uri=base_uri, token=token)
+    load_users(neo4j_session, common_job_parameters, users)
+    cleanup(neo4j_session, common_job_parameters)

cartography/intel/snipeit/util.py

@@ -0,0 +1,35 @@
+import logging
+from typing import Any
+from typing import Dict
+
+import requests
+
+from cartography.util import timeit
+
+logger = logging.getLogger(__name__)
+# Connect and read timeouts of 60 seconds each; see https://requests.readthedocs.io/en/master/user/advanced/#timeouts
+_TIMEOUT = (60, 60)
+
+
+@timeit
+def call_snipeit_api(api_and_parameters: str, base_uri: str, token: str) -> Dict[str, Any]:
+    uri = base_uri + api_and_parameters
+    try:
+        logger.debug(
+            "SnipeIT: Get %s", uri,
+        )
+        response = requests.get(
+            uri,
+            headers={
+                'Accept': 'application/json',
+                'Authorization': f'Bearer {token}',
+            },
+            timeout=_TIMEOUT,
+        )
+    except requests.exceptions.Timeout:
+        # Add context and re-raise for callers to handle
+        logger.warning(f"SnipeIT: requests.get('{uri}') timed out.")
+        raise
+    # if call failed, use requests library to raise an exception
+    response.raise_for_status()
+    return response.json()

cartography/models/semgrep/findings.py

@@ -17,6 +17,7 @@ class SemgrepSCAFindingNodeProperties(CartographyNodeProperties):
     lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
     rule_id: PropertyRef = PropertyRef('ruleId', extra_index=True)
     repository: PropertyRef = PropertyRef('repositoryName', extra_index=True)
+    branch: PropertyRef = PropertyRef('branch')
     summary: PropertyRef = PropertyRef('title', extra_index=True)
     description: PropertyRef = PropertyRef('description')
     package_manager: PropertyRef = PropertyRef('ecosystem')
@@ -32,8 +33,9 @@ class SemgrepSCAFindingNodeProperties(CartographyNodeProperties):
     dependency_file: PropertyRef = PropertyRef('dependencyFileLocation_path', extra_index=True)
     dependency_file_url: PropertyRef = PropertyRef('dependencyFileLocation_url', extra_index=True)
     scan_time: PropertyRef = PropertyRef('openedAt')
-    published_time: PropertyRef = PropertyRef('announcedAt')
     fix_status: PropertyRef = PropertyRef('fixStatus')
+    triage_status: PropertyRef = PropertyRef('triageStatus')
+    confidence: PropertyRef = PropertyRef('confidence')
 
 
 @dataclass(frozen=True)

cartography/models/snipeit/asset.py

@@ -0,0 +1,81 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import OtherRelationships
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class SnipeitAssetNodeProperties(CartographyNodeProperties):
+    """
+    https://snipe-it.readme.io/reference/hardware-list
+    """
+    # Common properties
+    id: PropertyRef = PropertyRef('id')
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+    # SnipeIT specific properties
+    asset_tag: PropertyRef = PropertyRef('asset_tag')
+    assigned_to: PropertyRef = PropertyRef('assigned_to.email')
+    category: PropertyRef = PropertyRef('category.name')
+    company: PropertyRef = PropertyRef('company.name')
+    manufacturer: PropertyRef = PropertyRef('manufacturer.name')
+    model: PropertyRef = PropertyRef('model.name')
+    serial: PropertyRef = PropertyRef('serial', extra_index=True)
+
+
+###
+# (:SnipeitAsset)<-[:ASSET]-(:SnipeitTenant)
+###
+@dataclass(frozen=True)
+class SnipeitTenantToSnipeitAssetRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class SnipeitTenantToSnipeitAssetRel(CartographyRelSchema):
+    target_node_label: str = 'SnipeitTenant'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('TENANT_ID', set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "HAS_ASSET"
+    properties: SnipeitTenantToSnipeitAssetRelProperties = SnipeitTenantToSnipeitAssetRelProperties()
+
+
+###
+# (:SnipeitUser)-[:HAS_CHECKED_OUT]->(:SnipeitAsset)
+###
+@dataclass(frozen=True)
+class SnipeitUserToSnipeitAssetProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class SnipeitUserToSnipeitAssetRel(CartographyRelSchema):
+    target_node_label: str = 'SnipeitUser'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'email': PropertyRef('assigned_to.email')},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "HAS_CHECKED_OUT"
+    properties: SnipeitUserToSnipeitAssetProperties = SnipeitUserToSnipeitAssetProperties()
+
+
+###
+@dataclass(frozen=True)
+class SnipeitAssetSchema(CartographyNodeSchema):
+    label: str = 'SnipeitAsset'  # The label of the node
+    properties: SnipeitAssetNodeProperties = SnipeitAssetNodeProperties()  # An object representing all properties
+    sub_resource_relationship: SnipeitTenantToSnipeitAssetRel = SnipeitTenantToSnipeitAssetRel()
+    other_relationships: OtherRelationships = OtherRelationships(
+        [
+            SnipeitUserToSnipeitAssetRel(),
+        ],
+    )

cartography/models/snipeit/tenant.py

@@ -0,0 +1,17 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+
+
+@dataclass(frozen=True)
+class SnipeitTenantNodeProperties(CartographyNodeProperties):
+    id: PropertyRef = PropertyRef('id')
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+class SnipeitTenantSchema(CartographyNodeSchema):
+    label: str = 'SnipeitTenant'  # The label of the node
+    properties: SnipeitTenantNodeProperties = SnipeitTenantNodeProperties()  # An object representing all properties

cartography/models/snipeit/user.py

@@ -0,0 +1,49 @@
+from dataclasses import dataclass
+
+from cartography.models.core.common import PropertyRef
+from cartography.models.core.nodes import CartographyNodeProperties
+from cartography.models.core.nodes import CartographyNodeSchema
+from cartography.models.core.relationships import CartographyRelProperties
+from cartography.models.core.relationships import CartographyRelSchema
+from cartography.models.core.relationships import LinkDirection
+from cartography.models.core.relationships import make_target_node_matcher
+from cartography.models.core.relationships import TargetNodeMatcher
+
+
+@dataclass(frozen=True)
+class SnipeitUserNodeProperties(CartographyNodeProperties):
+    """
+    Ref: https://snipe-it.readme.io/reference/users
+    """
+    # Common properties
+    id: PropertyRef = PropertyRef('id')
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+    # SnipeIT specific properties
+    company: PropertyRef = PropertyRef('company_id.name', extra_index=True)
+    email: PropertyRef = PropertyRef('email', extra_index=True)
+    username: PropertyRef = PropertyRef('username')
+
+
+@dataclass(frozen=True)
+class SnipeitTenantToSnipeitUserRelProperties(CartographyRelProperties):
+    lastupdated: PropertyRef = PropertyRef('lastupdated', set_in_kwargs=True)
+
+
+@dataclass(frozen=True)
+# (:SnipeitTenant)-[:HAS_USER]->(:SnipeitUser)
+class SnipeitTenantToSnipeitUserRel(CartographyRelSchema):
+    target_node_label: str = 'SnipeitTenant'
+    target_node_matcher: TargetNodeMatcher = make_target_node_matcher(
+        {'id': PropertyRef('TENANT_ID', set_in_kwargs=True)},
+    )
+    direction: LinkDirection = LinkDirection.INWARD
+    rel_label: str = "HAS_USER"
+    properties: SnipeitTenantToSnipeitUserRelProperties = SnipeitTenantToSnipeitUserRelProperties()
+
+
+@dataclass(frozen=True)
+class SnipeitUserSchema(CartographyNodeSchema):
+    label: str = 'SnipeitUser'  # The label of the node
+    properties: SnipeitUserNodeProperties = SnipeitUserNodeProperties()  # An object representing all properties
+    sub_resource_relationship: SnipeitTenantToSnipeitUserRel = SnipeitTenantToSnipeitUserRel()

cartography/sync.py

@@ -30,6 +30,7 @@ import cartography.intel.lastpass
 import cartography.intel.oci
 import cartography.intel.okta
 import cartography.intel.semgrep
+import cartography.intel.snipeit
 from cartography.config import Config
 from cartography.stats import set_stats_client
 from cartography.util import STATUS_FAILURE
@@ -57,6 +58,7 @@ TOP_LEVEL_MODULES = OrderedDict({  # preserve order so that the default sync alw
     'bigfix': cartography.intel.bigfix.start_bigfix_ingestion,
     'duo': cartography.intel.duo.start_duo_ingestion,
     'semgrep': cartography.intel.semgrep.start_semgrep_ingestion,
+    'snipeit': cartography.intel.snipeit.start_snipeit_ingestion,
     'analysis': cartography.intel.analysis.run,
 })
 

cartography/util.py

@@ -225,7 +225,7 @@ If not, then the AWS datatype somehow does not have this key.''',
     return items
 
 
-AWSGetFunc = TypeVar('AWSGetFunc', bound=Callable[..., List])
+AWSGetFunc = TypeVar('AWSGetFunc', bound=Callable[..., Iterable])
 
 # fix for AWS TooManyRequestsException
 # https://github.com/lyft/cartography/issues/297

{cartography-0.93.0rc1.dist-info → cartography-0.94.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: cartography
-Version: 0.93.0rc1
+Version: 0.94.0
 Summary: Explore assets and their relationships across your technical infrastructure.
 Home-page: https://www.github.com/lyft/cartography
 Maintainer: Lyft

{cartography-0.93.0rc1.dist-info → cartography-0.94.0.dist-info}/RECORD

@@ -1,11 +1,11 @@
 cartography/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/__main__.py,sha256=JftXT_nUPkqcEh8uxCCT4n-OyHYqbldEgrDS-4ygy0U,101
-cartography/cli.py,sha256=ot9_gMxw5_irVS7KYfWf5HIr2Xkb10RDEbOTY1nzUcw,31787
-cartography/config.py,sha256=rL1zgxZO47_R7S6E9e0CwxmhzRSN0X_q93NtcPR1G00,11368
+cartography/cli.py,sha256=MpS6JwnRZKPfXIxD-cV--bDLjgLqQjFzmIWNzX--ZcE,33385
+cartography/config.py,sha256=5E_YlWUdqBg94cUcugsRkihjEn-RxagG8M3lBliTiQA,11966
 cartography/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/stats.py,sha256=dbybb9V2FuvSuHjjNwz6Vjwnd1hap2C7h960rLoKcl8,4406
-cartography/sync.py,sha256=a80r_IzrZcWGSmRDRrxkesNYPiOuLte5YHvDQT3L-Lw,9730
-cartography/util.py,sha256=F3FPMJl1KDW0x_5cvt2ZGI0Dv1LVrHU7Az4OleAANBI,14474
+cartography/sync.py,sha256=5mUuo1Kr1_yVFSikWYY8sxXk-Ii5k1e8eqivMFdnkks,9829
+cartography/util.py,sha256=umfnjX8jVLu0rpYA75X-WvRpYzHQxns9qZiPwfyAlwQ,14478
 cartography/client/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/client/aws/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/client/aws/iam.py,sha256=dYsGikc36DEsSeR2XVOVFFUDwuU9yWj_EVkpgVYCFgM,1293
@@ -118,7 +118,7 @@ cartography/data/jobs/cleanup/okta_groups_cleanup.json,sha256=cBI3f_okl4pnVH48L1
 cartography/data/jobs/cleanup/okta_import_cleanup.json,sha256=4XQwYpY9vITLhnLpijMVa5PxO0Tm38CcMydnbPdQPm0,3798
 cartography/data/jobs/cleanup/pagerduty_import_cleanup.json,sha256=RJqG_Uw_QEGTer_-s2IuZ3a2kykhUcCdDNZu0S7SEB4,4457
 cartography/data/jobs/scoped_analysis/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-cartography/data/jobs/scoped_analysis/semgrep_sca_risk_analysis.json,sha256=Nlx4xRISmn_RQjVoRO1qAc2KtkiGy8i4mUB1NBPjCVc,6451
+cartography/data/jobs/scoped_analysis/semgrep_sca_risk_analysis.json,sha256=eIYxbl5TdgVzN8En2JozWoyKAiIh3Dp8wUMkTDPGZY0,6485
 cartography/driftdetect/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/driftdetect/__main__.py,sha256=Sz24Kxy5x6RC3GQEkuUDXzjOV3SvlHVkZdvPl1GLl5E,125
 cartography/driftdetect/add_shortcut.py,sha256=COtcCW9T0ss-bP1B2y9gEk3kN6HA01kkurSiDBNLzco,2377
@@ -135,7 +135,7 @@ cartography/driftdetect/util.py,sha256=Lqxv8QoFn3_3Fz18qCOjkjJ6yBwgrHjrxXmArBAEd
 cartography/graph/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/graph/cleanupbuilder.py,sha256=87vFrOJo66hOrrqeNwXp18WrNQEheHTlZko9KUkXWhY,8021
 cartography/graph/context.py,sha256=RGxGb8EnxowcqjR0nFF86baNhgRHeUF9wjIoFUoG8LU,1230
-cartography/graph/job.py,sha256=VBKc0VLbDz1zm5jslF49nbPbQS7DkdQwfPG7rdLSc1w,7288
+cartography/graph/job.py,sha256=RZWsbNhHuJlcSpw4C73ZuovRTp7kGrcm3X9yUH8vT1Q,7488
 cartography/graph/querybuilder.py,sha256=MMXzUEg4td-YmHMNM97KAqDZ6-1wNClO2jmJoG47BTY,20108
 cartography/graph/statement.py,sha256=VsqG46ty_Mm87fr8YdIwfr6a82OUXU7yZe6S-Py9hZg,5345
 cartography/intel/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -153,11 +153,11 @@ cartography/intel/aws/elasticache.py,sha256=fCI47aDFmIDyE26GiReKYb6XIZUwrzcvsXBQ
 cartography/intel/aws/elasticsearch.py,sha256=ZL7MkXF_bXRSoXuDSI1dwGckRLG2zDB8LuAD07vSLnE,8374
 cartography/intel/aws/emr.py,sha256=xhWBVZngxJRFjMEDxwq3G6SgytRGLq0v2a_CeDvByR0,3372
 cartography/intel/aws/iam.py,sha256=eLw0NkBGKzCI_tQ3wmrx3aUibQerrsxKJd3d0RCKcKQ,32374
-cartography/intel/aws/inspector.py,sha256=6enCu2USefuGT3FqA0Vto6i-z4BrL2HC_clbiXSLIlo,8654
+cartography/intel/aws/inspector.py,sha256=S22ZgRKEnmnBTJ-u0rodqRPB7_LkSIek47NeBxN4XJw,9336
 cartography/intel/aws/kms.py,sha256=bZUzMxAH_DsAcGTJBs08gg2tLKYu-QWjvMvV9C-6v50,11731
 cartography/intel/aws/lambda_function.py,sha256=KKTyn53xpaMI9WvIqxmsOASFwflHt-2_5ow-zUFc2wg,9890
 cartography/intel/aws/organizations.py,sha256=HaQZ3J5XF15BuykuDypqFORDYpnoHuRRr4DuceewH4s,4485
-cartography/intel/aws/permission_relationships.py,sha256=PhOnag0a1gZHtUg82546MKhj-8IcGJ7wLbvPASUBXlg,14792
+cartography/intel/aws/permission_relationships.py,sha256=IarV9gt5BaplZ5TPo_mfypt9bTKfT9qDtqC3Ob89qGI,14904
 cartography/intel/aws/rds.py,sha256=vnlNYmrO2Cc0PNn31CeG2QwYhwjVosbQFE9Ol1vQyLE,25252
 cartography/intel/aws/redshift.py,sha256=KOqiXIllHmtPTeaNGl-cX4srY5pFE6o12j8MQ5-zWpc,6694
 cartography/intel/aws/resourcegroupstaggingapi.py,sha256=aq4kPF6t8QZZoTxdkQVLXH65Di41CDJVM9llJNe6iaY,10278
@@ -175,7 +175,7 @@ cartography/intel/aws/ec2/images.py,sha256=heElwHJGqVD3iUJjxwA_Sdc3CmE4HPs00CTMH
 cartography/intel/aws/ec2/instances.py,sha256=mnTjdBY-4D-TGhH29UrSaLUW0Uft0JApDIJkkLz4zPc,12170
 cartography/intel/aws/ec2/internet_gateways.py,sha256=dI-4-85_3DGGZZBcY_DN6XqESx9P26S6jKok314lcnQ,2883
 cartography/intel/aws/ec2/key_pairs.py,sha256=SvRgd56vE4eouvTSNoFK8PP8HYoECO91goxc36oq_FY,2508
-cartography/intel/aws/ec2/launch_templates.py,sha256=YhLh_O2cZbeoKXA6MXmwkxJJi0ubZb5FyouTYykuq1k,5372
+cartography/intel/aws/ec2/launch_templates.py,sha256=aeqaL8On38ET8nM8bISsIXLy6PkZoV-tqSWG38YXgkI,6010
 cartography/intel/aws/ec2/load_balancer_v2s.py,sha256=95FfQQn740gexINIHDJizOM4OKzRtQT_y2XQMipQ5Dg,8661
 cartography/intel/aws/ec2/load_balancers.py,sha256=1GwErzGqi3BKCARqfGJcD_r_D84rFKVy5kNMas9jAok,6756
 cartography/intel/aws/ec2/network_interfaces.py,sha256=CzF8PooCYUQ2pk8DR8JDAhkWRUQSBj_27OsIfkL_-Cs,9199
@@ -230,7 +230,7 @@ cartography/intel/gcp/gke.py,sha256=qaTwsVaxkwNhW5_Mw4bedOk7fgJK8y0LwwcYlUABXDg,
 cartography/intel/gcp/storage.py,sha256=oO_ayEhkXlj2Gn7T5MU41ZXiqwRwe6Ud4wzqyRTsyf4,9075
 cartography/intel/github/__init__.py,sha256=y876JJGTDJZEOFCDiNCJfcLNxN24pVj4s2N0YmuuoaE,1914
 cartography/intel/github/repos.py,sha256=YPDdBMk6NkZjwPcqPW5LlCy_OS9tKcrZD6ygiUG93J0,21766
-cartography/intel/github/teams.py,sha256=mofyJeJVOD7Umh9Rq6QnAwom9bBHBx18kyvFMvQX5YE,5383
+cartography/intel/github/teams.py,sha256=aXI-XbxlA1IDaAUX0XSdEt6pA2n4ew5j_doj1iNYCDM,6618
 cartography/intel/github/users.py,sha256=kQp0dxzP08DVrdvfVeCciQbrKPbbFvwbR_p_I_XGt7s,3826
 cartography/intel/github/util.py,sha256=K6hbxypy4luKhIE1Uh5VWZc9OyjMK2OuO00vBAQfloA,8049
 cartography/intel/gsuite/__init__.py,sha256=AGIUskGlLCVGHbnQicNpNWi9AvmV7_7hUKTt-hsB2J8,4306
@@ -238,7 +238,7 @@ cartography/intel/gsuite/api.py,sha256=J0dkNdfBVMrEv8vvStQu7YKVxXSyV45WueFhUS4aO
 cartography/intel/jamf/__init__.py,sha256=Nof-LrUeevoieo6oP2GyfTwx8k5TUIgreW6hSj53YjQ,419
 cartography/intel/jamf/computers.py,sha256=EfjlupQ-9HYTjOrmuwrGuJDy9ApAnJvk8WrYcp6_Jkk,1673
 cartography/intel/jamf/util.py,sha256=EAyP8VpOY2uAvW3HtX6r7qORNjGa1Tr3fuqezuLQ0j4,1017
-cartography/intel/kandji/__init__.py,sha256=OHZJNzuNibIfJ51OkL3XL2EdA_ZmvPHPeWCQUld4J64,1079
+cartography/intel/kandji/__init__.py,sha256=Y38bVRmrGVJRy0mSof8xU-cuEyJ7N_oI7KekYjYyuiQ,1076
 cartography/intel/kandji/devices.py,sha256=j_rP6rQ5VPT_XEcGXx7Yt6eCOm1Oe3I2qWIxXODXEcA,2224
 cartography/intel/kubernetes/__init__.py,sha256=jaOTEanWnTrYvcBN1XUC5oqBhz1AJbFmzoT9uu_VBSg,1481
 cartography/intel/kubernetes/namespaces.py,sha256=6o-FgAX_Ai5NCj2xOWM-RNWEvn0gZjVQnZSGCJlcIhw,2710
@@ -271,7 +271,11 @@ cartography/intel/pagerduty/teams.py,sha256=aRubUXgEVVReyLrXAX_be1E_QBJv3Qlr4n77
 cartography/intel/pagerduty/users.py,sha256=oltGssxrnzYsV6QTGP1SsPoA1rCUDStj6vGlGWY695g,1623
 cartography/intel/pagerduty/vendors.py,sha256=WlDHExrWRBegDQKtxBV5nJiYgwoTLxNee4HrQDJ-Pdg,1559
 cartography/intel/semgrep/__init__.py,sha256=94vjdszGEosvXiKtYWKD34BRKwRbJxlBO1PZcKdxnFA,619
-cartography/intel/semgrep/findings.py,sha256=hbH_wL1XJDZDDrbIV_FjPv4A7oS2xM_hhMAbZlRm9po,9025
+cartography/intel/semgrep/findings.py,sha256=9MSbDFrRUqb5nkEWN0R9Fx57RJMt27-9obpIHXNd45Y,10836
+cartography/intel/snipeit/__init__.py,sha256=0uIh8NbuI7IbfgaOrPHg4Nfm1yO6mTRC_qaFiIjR2FA,992
+cartography/intel/snipeit/asset.py,sha256=KkGRUgIydvf_6SHtgpVLT-TjtEGz029SrOaoh0qDW6E,1997
+cartography/intel/snipeit/user.py,sha256=hm9v_p29bphHtGe9LKVo1FD_rQcbCigrCRf8YsmteXA,1971
+cartography/intel/snipeit/util.py,sha256=fXlzdFQXm01Oaa2REYNN7x3y3k2l3zCVhf_BxcRUELY,1040
 cartography/models/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/models/aws/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/models/aws/emr.py,sha256=TkuwoZnw_VHbJ5bwkac7-ZfwSLe_TeK3gxkuwGQOUk4,3037
@@ -330,12 +334,16 @@ cartography/models/lastpass/tenant.py,sha256=TG-9LFo9Sfzb9UgcTt_gFVTKocLItbgQMMP
 cartography/models/lastpass/user.py,sha256=SMTTYN6jgccc9k76hY3rVImElJOhHhZ9f1aZ6JzcrHw,3487
 cartography/models/semgrep/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 cartography/models/semgrep/deployment.py,sha256=or5qZDuR51MXzINpH15jZrqmSUvXQevCNYWJ7D6v-JI,745
-cartography/models/semgrep/findings.py,sha256=xrn8sgXpNMrNJbKQagaAVxaCG9bVjTATSRR2XRBR4rg,5386
+cartography/models/semgrep/findings.py,sha256=RPd-QzvP38fbTIqFARx6XpcZSsd5JM3KIg-ZlJA7NlE,5490
 cartography/models/semgrep/locations.py,sha256=kSk7Nn5Mn4Ob84MVZOo2GR0YFi-9Okq9pgA3FfC6_bk,3061
-cartography-0.93.0rc1.dist-info/LICENSE,sha256=489ZXeW9G90up6ep-D1n-lJgk9ciNT2yxXpFgRSidtk,11341
-cartography-0.93.0rc1.dist-info/METADATA,sha256=1r_kEpkQWTPR77ToFbTkU78iBSTCM9JuQdleKFo3dJE,1991
-cartography-0.93.0rc1.dist-info/NOTICE,sha256=YOGAsjFtbyKj5tslYIg6V5jEYRuEvnSsIuDOUKj0Qj4,97
-cartography-0.93.0rc1.dist-info/WHEEL,sha256=Z4pYXqR_rTB7OWNDYFOm1qRk0RX6GFP2o8LgvP453Hk,91
-cartography-0.93.0rc1.dist-info/entry_points.txt,sha256=GVIAWD0o0_K077qMA_k1oZU4v-M0a8GLKGJR8tZ-qH8,112
-cartography-0.93.0rc1.dist-info/top_level.txt,sha256=BHqsNJQiI6Q72DeypC1IINQJE59SLhU4nllbQjgJi9g,12
-cartography-0.93.0rc1.dist-info/RECORD,,
+cartography/models/snipeit/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cartography/models/snipeit/asset.py,sha256=FyRAaeXuZjMy0eUQcSDFcgEAF5lbLMlvqp1Tv9d3Lv4,3238
+cartography/models/snipeit/tenant.py,sha256=p4rFnpNNuF1W5ilGBbexDaETWTwavfb38RcQGoImkQI,679
+cartography/models/snipeit/user.py,sha256=MsB4MiCVNTH6JpESime7cOkB89autZOXQpL6Z0l7L6o,2113
+cartography-0.94.0.dist-info/LICENSE,sha256=489ZXeW9G90up6ep-D1n-lJgk9ciNT2yxXpFgRSidtk,11341
+cartography-0.94.0.dist-info/METADATA,sha256=9v4HeSznhEKST3TK3YKaipeJ75pxCunQLCTqqmerloI,1988
+cartography-0.94.0.dist-info/NOTICE,sha256=YOGAsjFtbyKj5tslYIg6V5jEYRuEvnSsIuDOUKj0Qj4,97
+cartography-0.94.0.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
+cartography-0.94.0.dist-info/entry_points.txt,sha256=GVIAWD0o0_K077qMA_k1oZU4v-M0a8GLKGJR8tZ-qH8,112
+cartography-0.94.0.dist-info/top_level.txt,sha256=BHqsNJQiI6Q72DeypC1IINQJE59SLhU4nllbQjgJi9g,12
+cartography-0.94.0.dist-info/RECORD,,

{cartography-0.93.0rc1.dist-info → cartography-0.94.0.dist-info}/WHEEL

@@ -1,5 +1,5 @@
 Wheel-Version: 1.0
-Generator: setuptools (70.3.0)
+Generator: setuptools (75.1.0)
 Root-Is-Purelib: true
 Tag: py3-none-any